Street surveillance technologies such as automatic license plate readers, facial recognition systems and cell site simulators (CSS) have become increasingly common. Of these, CSS (also known as "stingrays" or "IMSI catchers") are particularly worrisome because of their ability to masquerade as legitimate cell phone towers and intercept and record sensitive information from mobile devices. Therefore, the Electronic Frontier Foundation (EFF) developed an open source tool called Rayhunter to help detect and understand the use of these devices.
CSS works by mimicking cell phone towers, tricking nearby phones into connecting to the tower instead of the legitimate one. This allows law enforcement to determine a phone's location more accurately than other methods and record unique identifiers such as IMSI numbers and IMEIs without having to involve the phone company. Some CSS can even intercept communications under certain conditions, including phone calls, text messages, and mobile internet traffic.
However, the exact capabilities and deployment of CSS remain largely unknown due to a lack of transparency from manufacturers and law enforcement agencies, according to the EFF.
These devices can be used to track individuals without their knowledge, often without a warrant, raising serious legal and ethical questions. In some cases, CSS has been used at protests and other gatherings to surveil large groups of people without justification, potentially violating First Amendment rights.
EFF created Rayhunter to identify when these technologies are being used. The tool runs on an Orbic mobile hotspot that costs less than $20, and EFF has designed a user-friendly tool that can be used by individuals of all skill levels.
Rayhunter intercepts and analyzes control traffic between mobile hotspots and base stations, looking for suspicious events such as forced downgrades to easily intercepted 2G networks, or unusual IMSI requests that may indicate CSS activity. It alerts users to potential threats and allows users to view logs for further analysis.
Rayhunter's interface is very simple, using a color-coded system to show if any suspicious activity has been detected. Green lines (blue lines for color-blind users) indicate no threats detected, while red signals indicate potential CSS activity.
Users can access detailed logs through a web-based interface via a Wi-Fi network connected to a hotspot or a USB connection using Android Debug Bridge (ADB).
Installing Rayhunter is relatively simple: download the package, plug in the device, and run the installation script on your Mac or Linux system. The tool is open source and available on GitHub under the GPL-3.0 license.
By launching Rayhunter, EFF hopes to determine whether CSS is being used to monitor First Amendment-protected events, such as protests or religious gatherings, and to gather empirical data on the vulnerabilities used by these devices. The data will also help researchers understand how CSS exploits network vulnerabilities so they can develop better defenses.
The EFF also wants to see Rayhunter inform policy discussions and strengthen legal protections against unauthorized surveillance, especially in countries without robust free speech protections. In the United States, for example, there have been attempts to introduce legislation such as the Cell-SiteSimulator Warrant Act, which requires authorization when using CSS, but these efforts have faced challenges. There is growing recognition of the need for oversight: the Department of Justice has implemented policies requiring a search warrant when using CSS in many circumstances.